Hi, I accidently included the wrong patch. Here is the correct one. Kind regards Nico
-- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u gnatsweb-4.00/debian/changelog gnatsweb-4.00/debian/changelog --- gnatsweb-4.00/debian/changelog +++ gnatsweb-4.00/debian/changelog @@ -1,3 +1,12 @@ +gnatsweb (4.00-1.1) unstable; urgency=high + + * Non-maintainer upload by testing security team. + * Fixed missing escaping of the database parameter which leads + to a cross-site scripting vulnerability (XSS) via this + parameter (CVE-2007-2808) (Closes: # 427156). + + -- Nico Golde <[EMAIL PROTECTED]> Sat, 06 Oct 2007 15:03:47 +0200 + gnatsweb (4.00-1) unstable; urgency=low * New upstream release. only in patch2: unchanged: --- gnatsweb-4.00.orig/gnatsweb.pl +++ gnatsweb-4.00/gnatsweb.pl @@ -3977,7 +3977,7 @@ $$cval_hashref{$pref_name} ); - $$pref_hashref{$pref_name} = $val + $$pref_hashref{$pref_name} = $q->escapeHTML($val) if defined($val); }
pgpsB4HGzuUYs.pgp
Description: PGP signature